b'    Audit Report\n\n\n\n\n    OIG-07-015\n    Audit of the Financial Management Service\xe2\x80\x99s Fiscal Years 2006\n    and 2005 Schedules of Non-Entity Government-Wide Cash\n    November 20, 2006\n\n\n\n\n    Office of\n    Inspector General\n    Department of the Treasury\n\n\n\n\n0\n\x0c                                       DEPARTMENT OF THE TREASURY\n                                             W ASHINGTON, D.C. 20220\n\n\n\n\n     OFFICE OF\nINSPECTOR GENERAL\n                                               November 20, 2006\n\n\n            MEMORANDUM FOR KENNETH R. PAPAJ, COMMISSIONER\n                           FINANCIAL MANAGEMENT SERVICE\n\n            FROM:                   Michael Fitzgerald\n                                    Acting Deputy Assistant Inspector General\n                                     for Financial Management and Information\n                                     Technology Audits\n\n            SUBJECT:                Audit of the Financial Management Service\xe2\x80\x99s\n                                    Fiscal Years 2006 and 2005 Schedules of Non-Entity\n                                    Government-wide Cash\n\n\n            I am pleased to transmit the attached audited Financial Management Service\xe2\x80\x99s\n            (FMS) Fiscal Years (FY) 2006 and 2005 Schedules of Non-Entity Government-wide\n            Cash (the Schedules). We contracted with the independent certified public\n            accounting firm Clifton Gunderson LLP to audit the Schedules of Non-Entity\n            Government-wide Cash for FY 2006 and 2005. The contract required that the audit\n            be performed in accordance with generally accepted government auditing\n            standards; applicable provisions of Office of Management and Budget (OMB)\n            Bulletin No. 06-03, Audit Requirements for Federal Financial Statements; and the\n            GAO/PCIE Financial Audit Manual.\n\n            The following reports, prepared by Clifton Gunderson LLP, are incorporated in the\n            attachment:\n\n                    \xe2\x80\xa2   Independent Auditor\xe2\x80\x99s Report;\n                    \xe2\x80\xa2   Independent Auditor\xe2\x80\x99s Report On Internal Control; and\n                    \xe2\x80\xa2   Independent Auditor\xe2\x80\x99s Report On Compliance and Other Matters.\n\n            In its audit of FMS\xe2\x80\x99 Schedules, Clifton Gunderson LLP found:\n\n                    \xe2\x80\xa2   the Schedules present fairly, in all material respects, the balance of\n                        Non-Entity Government-wide Cash as of September 30, 2006 and 2005,\n                        in conformity with accounting principles generally accepted in the United\n                        States of America,\n\x0cPage 2\n\n\n        \xe2\x80\xa2   one matter involving internal control and its operation that is considered a\n            reportable condition 1 (described below), and\n\n        \xe2\x80\xa2   no instances of reportable noncompliance with laws and regulations tested.\n\nClifton Gunderson LLP concluded that there were general control weaknesses that\ndid not effectively prevent (1) unauthorized access to and disclosure of sensitive\ninformation, or (2) ensure that connectivity to systems/applications are available\nduring a disaster. Collectively these findings indicated the lack of fully effective\nentity-wide security management.\n\nIn connection with the contract, we reviewed Clifton Gunderson LLP\xe2\x80\x99s reports and\nrelated documentation and inquired of its representatives. Our review, as\ndifferentiated from an audit in accordance with generally accepted government\nauditing standards, was not intended to enable us to express, and we do not\nexpress, an opinion on FMS\xe2\x80\x99 Schedules or conclusions about the effectiveness of\ninternal control or compliance with laws and regulations. Clifton Gunderson LLP is\nresponsible for the attached auditor\xe2\x80\x99s reports dated October 31, 2006 and the\nconclusions expressed in the reports. However, our review disclosed no instances\nwhere Clifton Gunderson LLP did not comply, in all material respects, with generally\naccepted government auditing standards.\n\nShould you have any questions, please contact me at (202) 927-5789.\n\nAttachment\n\ncc:     Donald V. Hammond\n        Fiscal Assistant Secretary\n\n\n\n\n1\n  Reportable conditions are matters coming to the auditor\xe2\x80\x99s attention that, in his judgment, should be\ncommunicated because they represent significant deficiencies in the design or operation of internal\ncontrol, which could adversely affect the organization\xe2\x80\x99s ability to initiate, record, process, and report\nfinancial data consistent with the assertions of management in the Schedule.\n\x0cU. S. DEPARTMENT OF THE TREASURY,\n  FINANCIAL MANAGEMENT SERVICE\n           Washington, DC\n\n INDEPENDENT AUDITOR\xe2\x80\x99S REPORTS\n   AND SCHEDULES OF NON-ENTITY\n     GOVERNMENT-WIDE CASH\n\n     September 30, 2006 and 2005\n\x0c                                              TABLE OF CONTENTS\n\n\n\n\n                                                                                                                      PAGE\n\nINDEPENDENT AUDITOR\xe2\x80\x99S REPORT ...................................................................................1\n\nINDEPENDENT AUDITOR\xe2\x80\x99S REPORT ON\n  INTERNAL CONTROL ............................................................................................................2\n\nINDEPENDENT AUDITOR\xe2\x80\x99S REPORT ON\n  COMPLIANCE AND OTHER MATTERS.............................................................................5\n\nSCHEDULES OF NON-ENTITY\n GOVERNMENT-WIDE CASH ................................................................................................6\n\nNOTES TO THE SCHEDULES OF\n NON-ENTITY GOVERNMENT-WIDE CASH......................................................................7\n\nATTACHMENT \xe2\x80\x93 MANAGEMENT COMMENTS .................................................................9\n\x0c                                          Independent Auditor\xe2\x80\x99s Report\n\n\nTo the Office of Inspector General\n of the U. S. Department of the Treasury and the\n Commissioner of the Financial Management Service\n\n\nWe have audited the accompanying Schedules of Non-Entity Government-wide Cash of the\nU. S. Department of the Treasury\xe2\x80\x99s Financial Management Service (FMS) as of September 30,\n2006 and 2005. These schedules are the responsibility of FMS\xe2\x80\x99 management. Our responsibility\nis to express an opinion on these schedules based on our audits.\nWe conducted our audits in accordance with auditing standards generally accepted in the United\nStates of America; the standards applicable to financial audits contained in Government Auditing\nStandards issued by the Comptroller General of the United States; and applicable provisions of\nOffice of Management and Budget (OMB) Bulletin No. 06-03, Audit Requirements for Federal\nFinancial Statements. Those standards require that we plan and perform the audit to obtain\nreasonable assurance about whether the schedule is free of material misstatement. An audit\nincludes examining, on a test basis, evidence supporting the amounts and disclosures in the\nschedule. An audit also includes assessing the accounting principles used and significant\nestimates made by management, as well as evaluating the overall schedule presentation. We\nbelieve that our audits provide a reasonable basis for our opinion.\nIn our opinion, the Schedules of Non-Entity Government-wide Cash referred to above present\nfairly, in all material respects, the balance of Non-Entity Government-wide Cash managed by\nFMS as of September 30, 2006 and 2005 in conformity with accounting principles generally\naccepted in the United States of America.\nIn accordance with Government Auditing Standards, we have also issued our reports dated\nOctober 31, 2006, on our consideration of FMS\xe2\x80\x99 internal control over financial reporting relating\nto Non-Entity Government-wide Cash and on our tests of FMS\xe2\x80\x99 compliance with certain\nprovisions of laws and regulations and other matters relating to Non-Entity Government-wide\nCash. The purpose of those reports is to describe the scope of our testing of internal control over\nfinancial reporting and compliance and the results of that testing and not to provide an opinion\non internal control over financial reporting or compliance. Those reports are an integral part of\nour audit performed in accordance with Government Auditing Standards and should be\nconsidered in assessing the results of our audit.\n\n\na1\nCalverton, Maryland\nOctober 31, 2006\n\n\nOffices in 15 states and Washington, DC                1\n\x0c                               Independent Auditor\xe2\x80\x99s Report On Internal Control\n\n\nTo the Office of Inspector General\n of the U. S. Department of the Treasury and the\n Commissioner of the Financial Management Service\n\n\nWe have audited the Schedule of Non-Entity Government-wide Cash of the U. S. Department of\nthe Treasury\xe2\x80\x99s Financial Management Service (FMS), as of September 30, 2006, and have issued\nour report thereon dated October 31, 2006. We conducted our audit in accordance with auditing\nstandards generally accepted in the United States of America; the standards applicable to\nfinancial audits contained in Government Auditing Standards, issued by the Comptroller General\nof the United States; and applicable provisions of Office of Management and Budget (OMB)\nBulletin No. 06-03, Audit Requirements for Federal Financial Statements.\nIn planning and performing our audit, we considered FMS\xe2\x80\x99 internal control over financial\nreporting for Non-Entity Government-wide Cash by obtaining an understanding of relevant\ninternal controls, determined whether these internal controls had been placed in operation,\nassessed control risk, and performed tests of controls in order to determine our auditing\nprocedures for the purpose of expressing our opinion on the schedule. We limited our internal\ncontrol testing to those controls necessary to achieve the objectives described in OMB Bulletin\nNo. 06-03. We did not test all internal controls relevant to operating objectives as broadly\ndefined by the Federal Managers\xe2\x80\x99 Financial Integrity Act of 1982, such as those controls relevant\nto ensuring efficient operations. The objective of our audit was not to provide assurance on\ninternal control. Consequently, we do not provide an opinion on internal control.\nOur consideration of the internal control over financial reporting for Non-Entity Government-\nwide Cash would not necessarily disclose all matters in the internal control over financial\nreporting for Non-Entity Government-wide Cash that might be reportable conditions. Under\nstandards issued by the American Institute of Certified Public Accountants, reportable conditions\nare matters coming to our attention relating to significant deficiencies in the design or operation\nof the internal control that, in our judgment, could adversely affect FMS\xe2\x80\x99 ability to record,\nprocess, summarize, and report financial data consistent with the assertions by management in\nthe schedule referred to above. Material weaknesses are reportable conditions in which the\ndesign or operation of one or more of the internal control components does not reduce to a\nrelatively low level the risk that misstatements caused by error or fraud in amounts that would be\nmaterial in relation to the schedule being audited may occur and not be detected within a timely\nperiod by employees in the normal course of performing their assigned functions. Because of\ninherent limitations in internal controls, misstatements, losses, or noncompliance may\nnevertheless occur and not be detected. We noted the following matter involving the internal\ncontrol and its operation that we consider to be a reportable condition. However, we do not\nbelieve this reportable condition is a material weakness.\n\n\nOffices in 15 states and Washington, DC               2\n\x0cEffectiveness of Computer Controls\n\nFMS relies on extensive information technology (IT) systems to administer Government-wide\ncash. Internal controls over these operations are essential to ensure the integrity, confidentiality,\nand reliability of critical data while reducing the risk of errors, fraud and other illegal acts.\n\nOur review of information technology controls covered general and selected application controls.\nGeneral controls are the structure, policies and procedures that apply to an entity\xe2\x80\x99s overall\ncomputer systems. They include entity-wide security management, access controls, system\nsoftware controls, application software development and change controls, segregation of duties\nand service continuity controls. Application controls involve input, processing, and output\ncontrols related to specific IT applications.\n\nWe performed a review of the computer controls at the Hyattsville Regional Operations Center\n(HROC) and Kansas City Regional Operations Center (KROC) using the Federal Information\nSystems Controls Audit Manual (FISCAM). Our review included general control testing of the\nTreasury Check Information System (TCIS), Central Accounting System (STAR), and\nGovernment On-Line Accounting Link II/Citrix (GOALS II/Citrix) applications.\n\nFor several years there have been IT general controls weaknesses at FMS in this area, and most\nrecently it was focused on the Hyattsville Regional Operations Center. FMS continues to make\nprogress and we commend FMS for the effort and improvement in the IT controls environment.\nOur testing revealed that there are still existing general control weaknesses that do not effectively\n(1) prevent unauthorized access to and disclosure of sensitive information, or (2) ensure that\nconnectivity to systems/applications are available during a disaster. Collectively these findings\nindicate the lack of fully effective entity-wide security management. Our detailed findings and\nrecommendations will be provided to management in a separate sensitive but unclassified\nmanagement letter dated October 31, 2006. A summary of the key general controls findings\nfollows:\n\nEntity-wide Security Management \xe2\x80\x93 An entity-wide program for security planning and\nmanagement represents the foundation for an entity\xe2\x80\x99s security control structure and a reflection\nof senior management\xe2\x80\x99s commitment to addressing security risks. The program should establish\na framework and continuing cycle of activity for assessing risk, developing and implementing\neffective security procedures, and monitoring the effectiveness of these procedures. Without a\nwell designed program, security controls may be inadequate; responsibilities may be unclear,\nmisunderstood, and improperly implemented; and controls may be inconsistently applied. Such\nconditions may lead to insufficient protection of sensitive or critical resources and\ndisproportionately high expenditures for controls over low-risk resources.           FMS has\ndemonstrated its ability to remediate specific IT findings. However, we found a lack of\nconsistent application of an agency-wide strategy that should be followed in all system\nimplementations. The true measure of an Entity-wide Security Management is their ability to\nimplement enhancements to the controls environment entity-wide, on all new and existing\nsystems and platforms in use. Our current year audit identified that while weaknesses were\ncorrected in some systems and platforms, they still continue to exist in other areas. This is\nevidenced by the continued existence of previously identified problems in newly reviewed areas.\n\n\n\n                                                 3\n\x0cAccess Controls \xe2\x80\x93 Access controls are designed to limit or detect access to computer programs,\ndata, equipment, and facilities to protect these resources from unauthorized modification,\ndisclosure, loss or impairment. Such controls include logical and physical security controls.\nAlthough prior access control findings have been substantially addressed, additional access\ncontrol weaknesses were identified this year. A comprehensive access control security program,\nincluding increased management oversight, is needed to fully address the administration of\naccess controls in order to increase the reliability of computerized data and decrease the risk of\ndestruction or inappropriate disclosure of data.\n\nService Continuity \xe2\x80\x93 Contingency planning should address critical services to system resources\nto ensure that operations will continue in the event of a disaster or other service interruptions.\nSuch plans and procedures should be a key part of business continuity plans. We noted issues\nwith connectivity during a disaster and system failover exercise as well as system unavailability\nand downtime issues related to the TCIS application.\n\nManagement Response and Our Comments\n\nManagement has responded to our report and the full response is included in the attachment to\nthis report. Management disagreed with the characterization of our findings as a reportable\ncondition but recognized that the deficiencies in general controls must be corrected and will\nestablish the corrective actions as soon as possible.\n\nWe have carefully reviewed management\xe2\x80\x99s response, however we have not changed our\nconclusion that general controls weaknesses existed in access controls and service continuity,\nand the continued existence of previously identified problems in newly reviewed areas is evident\nof the lack of fully effective entity-wide security management. Further, we continue to conclude\nthat these weaknesses are a reportable condition.\n\n\n                        ***************************************\n\nThis report is intended solely for the information and use of the management of FMS, the\nDepartment of the Treasury Office of Inspector General, OMB, the Government Accountability\nOffice and Congress, and is not intended to be and should not be used by anyone other than these\nspecified parties.\n\n\na1\nCalverton, Maryland\nOctober 31, 2006\n\n\n\n\n                                                4\n\x0c                   Independent Auditor\xe2\x80\x99s Report On Compliance and Other Matters\n\n\nTo the Office of Inspector General\n of the U. S. Department of the Treasury and the\n Commissioner of the Financial Management Service\n\n\nWe have audited the Schedule of Non-Entity Government-wide Cash of the U. S. Department of\nthe Treasury\xe2\x80\x99s Financial Management Service (FMS), as of September 30, 2006, and have issued\nour report thereon dated October 31, 2006. We conducted our audit in accordance with auditing\nstandards generally accepted in the United States of America; the standards applicable to\nfinancial audits contained in Government Auditing Standards, issued by the Comptroller General\nof the United States; and applicable provisions of Office of Management and Budget (OMB)\nBulletin No. 06-03, Audit Requirements for Federal Financial Statements.\n\nThe management of FMS is responsible for complying with laws and regulations applicable to\nNon-Entity Government-wide Cash. As part of obtaining reasonable assurance about whether\nthe Schedule of Non-Entity Government-wide Cash is free of material misstatement, we\nperformed tests of its compliance with certain provisions of laws and regulations, noncompliance\nwith which could have a direct and material effect on the determination of schedule amounts and\ncertain other laws and regulations specified in OMB Bulletin No. 06-03. We limited our tests of\ncompliance to those provisions, and we did not test compliance with all laws and regulations\napplicable to FMS.\n\nThe results of our tests of compliance disclosed no instances of noncompliance with the laws and\nregulations described in the preceding paragraph or other matters that are required to be reported\nunder Government Auditing Standards and OMB Bulletin No. 06-03.\n\nProviding an opinion on compliance with certain provisions of laws and regulations was not an\nobjective of our audit and, accordingly, we do not express such an opinion.\n\nThis report is intended solely for the information and use of the management of FMS, the\nDepartment of the Treasury Office of Inspector General, the OMB, the Government\nAccountability Office and Congress, and is not intended to be and should not be used by anyone\nother than these specified parties.\n\n\na1\nCalverton, Maryland\nOctober 31, 2006\n\n\nOffices in 15 states and Washington, DC         5\n\x0c               U. S. DEPARTMENT OF THE TREASURY,\n                FINANCIAL MANAGEMENT SERVICE\n         SCHEDULES OF NON-ENTITY GOVERNMENT-WIDE CASH\n                           (In Thousands)\n\n\n\n\n                                                              September 30,\n                                                       2006                   2005\n\nCash, Foreign Currency and Other Monetary\n         Assets (Notes 1 and 2)                  $ 44,243,218          $ 28,433,173\n\n\n\n\n            The accompanying notes are an integral part of these schedules.\n\n                                            6\n\x0c                   U. S. DEPARTMENT OF THE TREASURY,\n                    FINANCIAL MANAGEMENT SERVICE\n       NOTES TO SCHEDULES OF NON-ENTITY GOVERNMENT-WIDE CASH\n                           September 30, 2006 and 2005\n\n\n\nNOTE 1 \xe2\x80\x93 SUMMARY OF SIGNIFICANT ACCOUNTING POLICIES\n\nReporting Entity\n\nThe Financial Management Service (FMS) is a bureau of the U. S. Department of the Treasury\n(Treasury). FMS\xe2\x80\x99 mission is to improve the quality of the Federal government\xe2\x80\x99s financial\nmanagement. FMS\xe2\x80\x99 commitment and responsibility is to help its customers achieve success.\nFMS does this by linking program and financial management objectives and by providing\nfinancial services, information, advice, and assistance to its customers. FMS serves taxpayers,\nTreasury, federal program agencies, and government policy makers.\n\nNon-entity accounts are those accounts that FMS holds but are not available to FMS in its\noperations. For example, FMS accounts for certain cash that the Federal Government collects\nand holds on behalf of the U. S. Government or other entities. This schedule includes the non-\nentity government-wide cash accounts.\n\nBasis of Accounting\n\nThe standards used in the preparation of the accompanying schedule are issued by the Federal\nAccounting Standards Advisory Board (FASAB), as the body authorized to establish generally\naccepted accounting principles for federal government entities. Accordingly, the accompanying\nschedules are prepared in accordance with generally accepted accounting principles.\n\nThe accompanying schedule is different from the financial reports, prepared by FMS pursuant to\nOMB directives that are used to monitor and control FMS\xe2\x80\x99 use of budgetary resources.\n\nIntra-governmental Financial Activities\n\nThe financial activities of FMS are affected by, and are dependent upon, those of the U. S.\nDepartment of the Treasury and the Federal Government as a whole. Thus, the accompanying\nschedules do not reflect the results of all financial decisions and activities applicable to FMS as if\nit were a stand-alone entity.\n\n\nNOTE 2 \xe2\x80\x93 NON-ENTITY CASH, FOREIGN CURRENCY, AND OTHER MONETARY\nASSETS\n\nNon-entity cash, foreign currency, and other monetary assets include the Operating Cash of the\nFederal Government, managed by Treasury. Also included is foreign currency maintained by\nvarious U. S. and military disbursing offices.\n\n\n\n\n                                                  7\n\x0c                  U. S. DEPARTMENT OF THE TREASURY,\n                   FINANCIAL MANAGEMENT SERVICE\n      NOTES TO SCHEDULES OF NON-ENTITY GOVERNMENT-WIDE CASH\n                          September 30, 2006 and 2005\n\n\n\nNOTE 2 \xe2\x80\x93 NON-ENTITY CASH, FOREIGN CURRENCY, AND OTHER MONETARY\nASSETS (CONTINUED)\n\nOperating Cash of the Federal Government represents balances, net of outstanding checks, from\ntax collections, customs duties, other revenue, federal debt receipts, and other various receipts\nnet of cash outflows for budget outlays and other payments.\n\nOperating Cash of the Federal Government is held in the Federal Reserve Banks (FRBs), foreign\nand domestic financial institutions, and in U. S. Treasury Tax and loan accounts. U. S. Treasury\nTax and Loan Accounts include funds invested through the Term Investment Option program\nand the Repo Pilot program. Under the Term Investment Option program Treasury agrees that\nfunds will remain in the account for the specified period of time. Under the Repo Pilot program\nTreasury \xe2\x80\x9cguarantees\xe2\x80\x9d that invested funds will remain in the account for the predetermined term\nof each investment. However, under both programs Treasury reserves the right to call the funds\nprior to maturity under special circumstances.\n\nOperating Cash of the Federal Government held by depositary institutions is either insured (for\nbalances up to $100,000) by the Federal Deposit Insurance Corporation or collateralized by\nsecurities pledged by the depositary institution, or through securities held under reverse\nrepurchase agreements.\n\n\n\n\n               This information is an integral part of the accompanying schedules.\n\n                                               8\n\x0cATTACHMENT\n\n\n\n\n    9\n\x0c\x0c\x0c'